Security of VPN (L2TP/IPsec) over Public WiFi ?

This may be a somewhat naive question but:
Is it "reasonably" secure to connect my PC to the office server (Windows 2016) using VPN (L2TP/IPsec) over public WiFi ?

Since using public WiFi (with or without a password) for activities such as browsing and email is a potential security risk, I always use a VPN service when outside of the office.

However, I am not so sure in the case of directly logging into the office server from the outside (to access files or carry out some simple management tasks). My main concern is having access credentials to the office network / server stolen. Lets say in a worst-case scenario the only internet access I have is a WiFi network with no password needed. Is it safe to use this to access the office server via VPN ? In case anyone is wondering I am pretty sure I don’t have any state actors after me !

Comments are appreciated.
Paul McCabeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
That is what a VPN is for: a secure tunnel through insecure networks including the internet. It is safe.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Paul McCabeAuthor Commented:
That is what I assumed, but reassuring to have it confirmed by an expert. Thank you !
0
McKnifeCommented:
VPN is encrypted traffic, so even over the filthiest (;-) WLAN, it cannot be intercepted in clear text.
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

McKnifeCommented:
Wait, what kind of VPN is that? This could be some funny VPN that does not even use encryption (although it is standard).
0
Paul McCabeAuthor Commented:
I sometimes need to travel through some pretty disgusting WANs so that is good to know !
0
btanExec ConsultantCommented:
There may be a small window when your machine is connected to the public wifi and you have not established the VPN.

 During that Windows you should be restricting using local host firewall to allow machine to have only (probably) DHCP and DNS traffic, no http first till VPN is up. At the same time, the first connection to public wifi may be intercepted before VPN starts.
0
Paul McCabeAuthor Commented:
L2TP by itself does not encrypt, ipsec does. My understanding is that L2TP/IPsec is the protocol of choice over PPTP, which is well known to be very insecure. Don't know how authoritative this is but see: https://www.ivpn.net/pptp-vs-l2tp-vs-openvpn This states: "L2TP/IPSEC....is now the recommended replacement for PPTP on Microsoft platforms where data encryption is required."
0
Paul McCabeAuthor Commented:
btan -thank you for the additional detail. I am not an IT expert but what might happen in the "window period" you mention ? Do you mean there is a possibility the credentials for the VPN / server user could be stolen in this period ?
0
btanExec ConsultantCommented:
L2TP/IPsec is generally regarded as being secure if openly published pre-shared keys are not used.
0
Paul McCabeAuthor Commented:
For connecting to the server, I am using a "secret" pre-shared key -it is definitely not published.
0
btanExec ConsultantCommented:
The window is when the machine is trying to connect to the wifi to get an ip address before VPN can be setup. During that Mitm may happened. Possibly credentials may be stolen and VPN should be using certificate

https://en.m.wikipedia.org/wiki/Man-in-the-middle_attack

The PSK should be safe if it is not revealed to anyone and it is not transmitted across the wired.
  1. Generate a new/different PSK for every VPN tunnel.
  2. Use a password/passphrase generator for the creation of the PSK.
  3. Generate a strong PSK (with at least 30 chars), to resist a brute-force attack
  4. Do NOT send the PSK to your peer over the Internet
  5. There is no need to store the PSK anywhere else. If it is configured on both sides, you can discard it. In the worst case, you need to generate and transfer a new one.

Some info
In enterprise deployments, it is common to either deploy the server certificate to employees' computers alongside the VPN software, or require the employee to make a first connection to the VPN from inside the company network where a MITM attack is not feared. The certificate is then stored in the VPN software configuration and the VPN client will refuse to connect if the server's public key changes.


If you're deploying a VPN service for your own use or for your organization's use, you should take care of provisioning the server certificate at installation time, before you go out in the wild. If a secure network is not available, you'll need to rely on some other communication channel to send the certificate. It could be an email, if that's how you identify users, but it would be best to rely on a pre-existing infrastructure such as GPG keys (send the certificate in a signed email) — which of course only shifts the problem to how to verify the GPG key.

If you're using a cloud-based VPN service, that service should provide you a way to verify their certificate (e.g. a web page served over HTTPS) and should document how to install the certificate or how to verify it on first use. Again, there isn't a single process that all VPN software follow.
0
Paul McCabeAuthor Commented:
From the information you provided, I understand that if the VPN is using a certificate, MITM attack is unlikely. I don't think it is using a certificate at the moment, so I'll need to look into that.
0
Paul McCabeAuthor Commented:
Or, in your last sentence, do you mean that even when using a certificate, credentials can be stolen ?
0
btanExec ConsultantCommented:
MitM is less likely with certificate since the attacker to get the private key and be a trusted issuer. Pre-shared secret that is not revealed or leak in any means are also still possible to reduce MitM. Compared the two the former certificate is of higher difficulty to intercept. Nonetheless, there are no silver bullet, you have to be careful for the VPN service that are subscribed too.
0
Paul McCabeAuthor Commented:
Thank you for commenting. Understand your point about certificates being better than private key. However since the key I am using is completely private (and has a strong randomized password), I think it is sufficient  for my situation. Also get your point about having to be careful with commercial VPN services. I will review them. Thank you again for your answers and comments, they are vey helpful and much appreciated.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.